[Date Prev][Date Next] [Chronological] [Thread] [Top]

SUMMARY Re: client certificates -- howto?

After finishing up the summary I have a few questions:

1) Why isnt ldapwhoami converting "0.9.2342.19200300.100.1.1" to "uid"?
2) Why is the SSF 0?
3) Is there a .ldaprc directive to use the sasl EXTERNAL mech all the
time?


This is a summary of how I created a working client certificate. I
already had server certs working - and this requred setting up a CA for
myself. My directory is setup such that 'uid' is used in the DN. If
yours isnt, I doubt that this will work for you:

I first created a minimal openssl configuration file to teach openssl
about the concept of 'uid':

>>>>>>>>>>>>>>>>
oid_section             = new_oids
  
[ new_oids ]
uid=0.9.2342.19200300.100.1.1
[ req ]
default_bits                    = 1024
default_keyfile                 = user.key
distinguished_name              = req_distinguished_name
string_mask                     = nombstr
req_extensions                  = v3_req
[ req_distinguished_name ]
uid                             = user id
uid_max                         = 20
[ v3_req ]
nsCertType                      = client,email
basicConstraints                = critical,CA:false
<<<<<<<<<<<<<<<<<
(it is likely that not all of that is necessary)

I called it 'user-cert.conf'

I generated the private key:

$ openssl genrsa -out USERNAME.key 1024

and then created a 'certificate signing request'

$ openssl req -new -config user-cert.conf -key USERNAME.key \
	-out USERNAME.csr
(all one line)

(how to set up a CA is actualy documented elsewhere)

Now, in the role of the Certificate Authority God I had to make some
changes to the 'openssl.cnf' file:
- in the "[ new_oids ]" section added the line:
uid=0.9.2342.19200300.100.1.1
- in both the policy_match and policy_anything sections I change
   all the existing lies to 'optional' and added:
uid                     = supplied
- processed the request with the following command:
# openssl ca -config openssl.cnf -out ~USERNAME/certs/USERNAME.crt \
	-infiles ~USERNAME/certs/USERNAME.csr

I then returned to being a mear mortal to continue.

- convert the .crt format certificate to something that openldap likes:

$ openssl x509 -inform PEM -outform DER -in USERNAME.crt \
	-out USERNAME.crt.der

I created a minimal ldif file to update my LDAP user object:
>>>>>>
dn: uid=USERNAME,ou=staff,ou=people,o=chebucto,c=ca
changetype: modify
replace: userCertificate;binary
userCertificate;binary:< file:///home/USERNAME/certs/USERNAME.crt.der
<<<<<<<<

- ran the update:

$ ldapmodify -Z -f ldif

The only change I had to make to slapd.conf were to include the
following lines :

>>>>
TLSVerifyClient try

sasl-regexp
        uid=(.*)
        ldap:///o=chebucto,c=ca??sub?(uid=$1)
>>>

restarted slapd for these to take effect.

I updated my ~/.ldaprc to setup the keys/cert pair so I can actualy use
this... Added the lines:

>>>>>>
TLS_REQCERT demand
TLS_CERT /home/USERNAME/certs/USERNAME.crt
TLS_KEY  /home/USERNAME/certs/USERNAME.key
>>>>>

And sucuess:

$ ldapwhoami -Y EXTERNAL -Z
SASL/EXTERNAL authentication started
SASL username: 0.9.2342.19200300.100.1.1=jeffw
SASL SSF: 0
dn:uid=jeffw,ou=staff,ou=people,o=chebucto,c=ca

{end howto}